[Esapi-user] SideJacking Question

Jim Manico jim.manico at owasp.org
Wed May 25 12:06:55 EDT 2011


I recommend keeping your session ID in cookies that are both HTTPOnly (no JavaScript access) and SECURE (HTTPS) cookies. Also, you should leverage your platforms session management mechanism and try to avoid writing your own session management mechanism if you can.

An AJAX request is no different that other requests. Just make sure sensitive data is part of a SSL POST payload instead of in GET parameters.

:)

Jim Manico

On May 25, 2011, at 5:47 PM, "Lukas, Ray" <Ray.Lukas at supermedia.com> wrote:

> I am new, very new, so... 
> Sidejacking, roughly defined as stealing someone's authenticated session object, thereby stealing their identity. 
> Solution is to never send the Session through anything that is not an SSL channel. In ESAPI, if I have this right, you say ESAPI.httpUtilities().assertSecureChannel();
> Now (at last) The Question:
> Sessions can also be transmitted by Ajax requests, right, so... Does this help me with that as well..?
> 
> Thanks guys.. I am still reading and learning.. but you got my attention at least.. 
> 
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list